Being root via ssl

Matthew Seaman m.seaman at
Fri May 2 02:43:27 PDT 2003

On Fri, May 02, 2003 at 11:13:13AM +0200, Fedder Skovgaard wrote:

> I've got a 5.0-release box running remotely, and access it through ssl. I 
> (obviously) created a default user account for day to day work, but 
> discovered that I wasn't able to "su" when logged in via ssl. 

I take it you mean 'ssh' rather than ssl.

Once you've logged in via ssh (or any other mechanism), you have full
access to all the permissions of your account.  Thus if you can't su
to root from a ssh session, then it's more than probable that you
couldn't su even if logged in to that account on the console.

Now, the reason that you can't su from your personal account is a FAQ:
you need to be a member of group 'wheel' before you can do that.

To make yourself a member of the wheel group, log in as root and:

    # pw group mod -n wheel -m fsk

and when you log into the fsk account again, you should be able to su.
> The only way I (As a newbie) could be able to change to root was to allow 
> direct root login via ssl, which was documented as being something one 
> quite seldomly would want to do.

Yes. This is true.  For interactive logins a) you really don't want to
run as root for the whole session, just for those commands that
require root priviledge and b) requiring people to log in under their
own UIDs and then use su(1) or sudo(8) or equivalent establishes an
audit trail which is invaluable when it all goes horribly wrong.

However, this is not a hard and fast rule, and local ideosyncrasies
may override common sense.

Note that a) applies just as well to logins via the console as well as
via the network.  However, don't even think about locking root out of
console logins unless you fully understand the consequences.

> What is the preferred way of doing this, and is it _really_ dangerous to 
> allow root login via ssl ?

Make a rule to always log in under your own user ID, and then only use
su(1) absolutely when necessary: preferably for single command lines
only.  Even better is to install sudo(8) or super(8) from the ports,
which allow you to set up nominated users to run commands with root
privilege but without having to hand out the root password.  This is a
good idea even if it's your own personal machine and you are the only

The one great exception to all this is where you need to remotely run
a privileged command via ssh *automatically* and without user
intervention to type in passwords -- eg. to kick off a backup in the
middle of the night.  In this case you should use ssh key based
authorization: generate a passwordless key pair for root, but use the
'command=/foo/bar/baz' syntax in root's authorized_keys file to limit
what can be run via that particular key.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP:         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list